|
Most of the setups I see describe a layered approach:
firewall
|
lb (lvs director)
/|\
http servers
Is there any technical advantage to separating the firewall and lb onto
different pieces of hardware? Is it a requirement? Say we wanted to
have a fully redundant setup. That would require 2 firewalls (1 hot, 1
spare) and 2 directors (1 hot, 1 spare). Wouldn't it make more sense to
just have the firewall and the director be the same machine? That way
you get the save level of redundancy with only the cost of 2 servers
instead of one. Modern intel processors + linux + intel 4 or 6 port Gb
adapter should be able to handle large amounts of traffic (which we
don't really have) without even blinking right?
firewall + lvs director
/|\
http servers
Checkpoint's firewalls support this type of functionality. For example,
you can do nat based load balancing (there are 4 or 5 different
algorithms it supports) right from the firewall. Has anyone else done
this? Are there any firewall projects (they currently don't have a
module from what I can tell) that include a LVS module for configuring
load balancing?
Right now we have managed firewall (checkpoint NG) (nat based public ->
private ip) and load balancing (alteon) services that cost us an arm and
a leg on a monthly basis. The alteon has some horsepower sure, but we
don't even really need the level of performance it offers us, we're not
exchanging tons of data and don't have thousands of simultaneous
connections. On top of that its performance is limited by the
firewall's bandwidth capabilities anyway. The nokia ip330 (checkpoint
NG) is kinda slow and getting long in the tooth (we don't own this
equipment its managed). I'd like to take these services in house and
save our small company a ton of money.
Like to hear you're thoughts on what i've described. For the curious,
we're ditching all of our sun equipment and moving to dell + debian
sarge on everything and the networking changes are part of the retooling
of our environment.
-Matt
|
